keytab created on MIT KDC with des3 enctype does not work with heimdal

Russ Allbery rra at stanford.edu
Thu Jun 8 20:40:49 EDT 2006


Arati Desai <artipdesai at yahoo.com> writes:

> I have a kerb5 setup with MIT KDC and heimdal client
> APIs to perform kerb5 authentication. I have created
> principals without specifying any keysaltlist. A
> keytab is created by running ktadd. klist shows-

> -bash2-2.05b$ sudo ktutil -k
> /tmp/osqa2.domain.com.keytab list
> /tmp/osqa2.domain.com:

> Vno  Type           Principal
>   5  des3-cbc-sha1  imap/osqa2.domain.com at DOMAIN.COM
>   5  des-cbc-crc    imap/osqa2.domain.com at DOMAIN.COM

> (Note: I have replace domain with actual domain name)

> With this keytab, heimdal client gives authentication
> failure. When I debugged the code I found that it is
> failing in verify_checksum function.

Read the COMPATIBILITY section of the gssapi(3) man page.  Could that be
your problem?

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list